Gigamon says it can analyze attacker SSL traffic without hitting performance

29.10.2014
Encrypting data traffic is mandatory for safeguarding information. But when attackers use encryption to mask their activity, it can be hard for enterprises to figure out what they're stealing.

Gigamon, based in Santa Clara, California, says it has developed a capability to deeply analyze all SSL/TLS (Secure Sockets Layer/Transport Layer Security) traffic.

SSL/TLS is the cornerstone of Web security, encrypting data between a client and a server. If the traffic is intercepted, it appears as gibberish unless the person has the corresponding private encryption key required to decrypt it.

Analyst Gartner predicts that attackers will increasingly use encryption in order to try to evade security products, from around 5 percent of network attacks using encryption today to 50 percent by 2017.

Many organizations now want to have visibility on the encrypted traffic, so are deploying SSL proxies, which are incorporated into a firewall or a load balancer, said Ananda Rajagopal, Gigamon's vice president for product management.

The proxy terminates the SSL session with a remote server and initiates a new one, which gives it an accessible private key, Rajagopal said. It means that all SSL traffic can now be analyzed for traits that might indicate an attack is underway.

Other security related vendors are using this method to look at the traffic and run checks, but it is done in-line or in-band, as the traffic is moving back and forth. Since that traffic is live, there is a limit on the amount of scans that can be done without impacting performance.

What Rajagopal said Gigamon has cracked is the ability to run many more security checks on the decrypted SSL traffic. Gigamon peels off SSL traffic and analyzes it without disrupting the flow of data by creating a copy of it and subjecting it to many more analyses.

"There is a limit in terms of how many tools can be deployed in band," Rajagopal said. "Your performance is as strong as the weakest link."

In-line products tend to only have a firewall, an anti-malware scan and intrusion protection system to maintain performance, Rajagopal said.

Gigamon runs the copied SSL traffic through what it calls its "Visibility Fabric," which runs a range of checks, including intrusion detection, anti-malware, file activity monitoring, customer experience management, security information and event management, data loss prevention as well as network and application performance management checks.

Visibility Fabric is network-agnostic and can take data feeds for analysis from a variety of products from other vendors, including Gigamon partners such as FireEye, Cisco's SourceFire, Imperva and Palo Alto Networks, among others, Rajagopal said.

The SSL application, which will be sold as a license for Gigamon's Visibility Fabric, will be available in the second half of November, he said.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Jeremy Kirk